We've said it a time or two, and we'll say it again: we take security seriously. Access management is part of that. Find out below how we manage authentication and access to systems for both Redoxers and customers using the Redox dashboard.
By default, we deny access to Redoxers to internal systems, applications, and customer data. We only allow access on a minimum necessary basis, which is based on the principle of least privilege.
Each Redoxer has a unique username and complex password that they use to access our internal systems. We align our password policy with the National Institute of Standards and Technology (NIST) password guidelines and best practices. NIST emphasizes length over complexity and multi-factor authentication (MFA) over shorter rotation periods.
As such, we have high length requirements (16 characters) and require MFA whenever possible. We have single sign-on (SSO) in place for access to all internal systems.
Access provisioning is based on an assigned role in our human resources information system (HRIS). If the role has certain access rights assigned, the user is granted that access when they're granted the indicated role. When the user is no longer a member of that role, their access is removed. We provision access to contractors similar to employees, but they're placed into their own roles. We continuously update access within roles based on business needs.
We review critical system accounts and privileged access rights every 60 days. We review standard user accounts upon hire, termination, and role change.
This group applies to any customers that are part of your Redox organization. Learn about managing your access control.
We require the following password parameters for the Redox dashboard:
- Password must not contain common or repeated words and characters.
- Password must be longer than 8 characters and shorter than 72 characters. Characters can be anything, including unicode and whitespace.
- Password must not contain your name, email, or organization name.
- Password must include two of the four categories: A-Z, a-z, 0-9, and special characters (~!@#$%^&*/?).
- Lockout occurs after 3 bad attempts.
MFA is available to any user via SMS text message. Organization owners can view which users have enabled MFA within the dashboard.
If you don't want to input the MFA tokens every time you log in, you can check the box for the option: "Remember this device for 30 days." You'll still have to enter the MFA tokens, though, if you explicitly log out, use a new device or incognito browser, or delete browser cookies.
We support SSO via Security Association Markup Language (SAML). SSO allows you to enforce your own password complexity requirements and more stringent MFA rules via your own identify provider.